Monthly Security Bulletin Webcast Q&A – November 2009

Hosts:                   Adrian Stone, Senior Security Program Manager Lead

                                Jerry Bryant, Senior Security Program Manager Lead

Website:             TechNet/security

Chat Topic:         November 2009 Security Bulletin
Date:                     Wednesday, November 11, 2009


Q: It looks like MS09-063 is only vulnerable to attacks via the local subnet, so is a Vista computer connected via Wi-Fi with the network configured as public, vulnerable?

A: In its most restrictive policy, “Public”, the Windows firewall will block all traffic to the affected ports that WSD (Web Services on Devices) may use. As such, this vulnerability cannot be exploited when your Windows client is configured to a Wi-Fi hotspot with the network configured as Public. Even in its least restrictive policy, “Home”, attacks would only be possible from the local subnet.


Q: Is there any log left on the computer that I can check after running the Malicious Software Removal Tool (MSRT), when choosing a complete/full scan?

A: We do have a knowledge base article that describes the Malicious Software Removal Tool in detail: KB890830.


Q: With regards to MS09-066, I am trying to understand why it impacts Windows XP. If it is an AD/DS bug, and since Windows XP does not include a directory service except for the LSA, does this impact the LSA also?

A: The affected XP component is ADAM (Active Directory Application Mode), an optional add-on component for Windows XP. If you do not have this component installed, you do not require this update.


Q: Regarding MS09-064, can the license service be disabled as a mitigation? Additionally, what are the consequences of disabling License Logging Service?

A: Yes, disabling the license logging service is an effective mitigation and prevents the machine from being attacked completely. The steps to do this are described under “Workarounds” in the respective security bulletin.


When disabled, you lose centralized logging of license failures: for instance, if a user purchased 500 licenses, and 505 are in use, the server being accessed would still log the licensing issue locally, but not on the License Logging Service. On Windows Small Business Server 2000, we recommend that you do not disable the License Logging Server, as it does depend on the server.


Q: Regarding MS09-068, can the attack execute if the affected file is not opened, but viewed via the preview function in Outlook 2007?

A: The preview parser in Outlook works differently than the document parser in Word itself. We did investigate this aspect. This vulnerability cannot be exploited through the Word document preview feature.


Q: For MS09-066, is there an easy way to tell if ADAM is installed on an XP machine?

A: Yes, You can validate whether ADAM is installed by going to “Add or Remove Programs”, then “Add/Remove Windows Components” and validate whether “Active Directory Application Mode (ADAM)” is installed on the system. This is a non-default component on Windows XP and unless explicitly installed by the administrator, it is not available to users and systems are not affected. The application will also show up under Start/Programs/ADAM.


Q: Is it possible to import KB971029 (restrict AutoRun entries in the AutoPlay dialog to only CD and DVD drives) into Windows Server Update Service (WSUS) yet?
From KB967940: Why are there two places to get this update?

These updates are available in two places due to the way the updates were originally offered. The updates that were offered in Microsoft Knowledge Base Article 953252 were not available from automatic updating (including Automatic Updates, Windows Update, and Windows Server Update Services) and therefore required users to manually find these updates and install them. The updates that are offered in Microsoft Knowledge Base Article 967715 contain the same updates that correctly respect the registry keys values to disable Autorun as in Microsoft Knowledge Base Article 953252, but are being distributed via automatic updating.